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(54) Cellular telephony authentication arrangement 

(57) A secure cellular telephony arrangement 
where the mobile unit maintains a secret that is 
assigned to it by the service provider, and which is 
known to the provider (home cellular geographic service 
are « CGSA) but not to any other base station. A shared 
secret datum is generated by the home CGSA with the 
aid of the secret and some other data. That data is 
transmitted to the mobile unit to enable it to also gener- 
ate the shared secret datum. A mobile unit wishing to 
communicate with a base station creates an authentica- 
tion string with the aid of the shared secret datum and 
sends it and the unit's identity to the base station. A 
base station which does not have the shared secret 
datum is unable to immediately authenticate the mobile 
unit. It therefore contacts the home CGSA, receives the 
shared secret datum and the other data, and proceeds 
to authenticate the mobile unit's authentication string. 
With the information received from the home CGSA the 
base station can direct the mobile unit to regenerate the 
shared secret datum or even create a new one. 
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Description 

[0001] This invention relates to methods for authenti- 
cating a mobile station. 

[0002] In conventional telephony each telephone set 
(fax unit, modem, etc) is physically connected to a 
unique port on a switch at a local central office. The con- 
nection is through a dedicated wire, or through a desig- 
nated channel on a dedicated wire. The wire connection 
is installed by the service provider (who, typically, is the 
common carrier) and, therefore, the service provider 
can be reasonably sure that transmission on the chan- 
nel arrives from the subscriber. By comparison, authen- 
tication of a subscriber in wireless telephony is less 
certain. 

[0003] Under the current cellular telephony arrange- 
ment in the United States, when a cellular telephone 
subscriber places a call, his or her cellular telephone 
indicates to the service provider the identity of the caller 
for billing purposes. This information is not encrypted. If 
an interloper eavesdrops at the right time, he or she can 
obtain the subscriber's identification information. This 
includes the subscriber's phone number and the elec- 
tronic serial number (ESN) of the subscriber's equip- 
ment. Thereafter, the interloper can program his or her 
cellular telephone to impersonate that bona fide sub- 
scriber to fraudulently obtain services. Alternately, an 
interloper can inject himself into an established connec- 
tion, overpower the customer's cellular telephone equip- 
ment by transmitting more power, and redirect the call to 
his or her purposes by sending certain control codes to 
the service provider. Basically, such piracy will succeed 
because the service provider has no mechanism for 
independently authenticating the identity of the caller at 
the time the connection is established and/or while the 
connection is active. 

[0004] Technology is available to permit an eaves- 
dropper to automatically scan all of the cellular frequen- 
cies in a given cell for such identification information. 
Consequently, piracy of cellular telephone services is 
rampant. Also, the lack of enciphering of the speech sig- 
nals lays bare to eavesdroppers the content of conver- 
sations. In short, there is a clear and present need for 
effective security measures in the cellular telephony art, 
and that suggests the use of cryptology for the pur- 
poses of ensuring authentication and privacy. 
[0005] Several standard cryptographic methods exist 
for solving the general sort of authentication problem 
that exists in cellular telephony, but each turns out to 
have practical problems. First, a classical chal- 
lenge/response protocol may be used, based on a pri- 
vate key cryptographic algorithm. In this approach, a 
subscriber's mobile station is issued with a secret key 
which also known by the home system. When a serving 
system wishes to authenticate a subscriber, it applies to 
the home system for a challenge and a response to use 
with the given subscriber. The home system composes 
a random challenge and applies a one-way function to 



the challenge concatenated with the subscribers key to 
obtain the corresponding response. The challenge and 
response are supplied to the serving system, which 
issues the challenge to the mobile station. The mobile 

5 station in turn replies with the response, which it calcu- 
lates from the challenge and from its stored secret key. 
The serving system compares the responses supplied 
by the home system and by the mobile station, and if 
they match, the mobile station is deemed authentic. 

10 [0006] The problem with this approach is that often the 
serving system is unable to contact the home system 
quickly enough to allow authentication of a call setup, or 
that the database software on the home system is una- 
ble to look up the subscriber's secret key and compose 

is the challenge/response pair quickly enough. Network or 
software delays of a second or two would add that much 
dead time till the subscriber hears a dial tone after pick- 
ing up the handset when placing a call, and longer 
delays (given the control networks and switching appa- 

20 ratus currently used by cellular providers) would be 
common. In the present milieu, such delays are unac- 
ceptable. 

[0007] Public key cryptography provides another 
standard class of ways for solving authentication prob- 

25 lems. Generally speaking, each mobile station would be 
provided with a "public key certificate" of identity, signed 
by the public key of the service provider, stating that the 
mobile station is a legitimate customer of the service 
provider. In addition, each mobile would also be given 

30 secret data (private keys) which it can use, together with 
the certificate, to prove to third parties (such as the 
serving system) that it is a legitimate customer. 
[0008] For example, service provider could have a pair 
of RSA keys, (F,G), with F private and G public. The 

35 service provider could supply each mobile with its own 
pair (D,E) of RSA keys, together with F(E) (the encryp- 
tion of the mobile's public key E using the provider's pri- 
vate key F). Then a mobile asserts its identity by 
sending (E,F(E)) to the serving system. The serving 

40 system applies G to F(E) to obtain E. The serving sys- 
tem generates a challenge X, encrypts it with the 
mobile's public key E to obtain E(X) which it sends to the 
mobile. The mobile applies its private key D to E(X) to 
obtain X, which it sends back to the server in the clear 

45 as a response. 

[0009] Although some variations on this theme involve 
less computation or data transmission than others, no 
public key authentication scheme yet exists which is effi- 
ciently executable in less than a second's time on the 

so sort of hardware currently used in cellular telephones. 
Even though network connectivity between the serving 
and home systems is not needed at the moment of 
authentication, as it is in the classical approach, the 
same time constraints which rule out the classical 

ss approach also rule out the public key approach. 

[0010] Another technique is proposed by R.M Need- 
ham and M.D. Schroeder in Using Encryption for 
Authentication in Large Computer Networks. Comm. of 



2 



BNSCOCJD: <EP 0903887 A2 J _> 



9 



3 EPO! 

the ACM. Vbl. 21 , No. 1 2, 993-999 (Dec. 1 978). In brief, 
the Needham-Schroeder technique requires that a third, 
trusted, party (AS) should serve as an authentication 
server which distributes session keys to the prospective 
parties (A and B) who are attempting to establish 
secure communications. The protocol is as follows: 
when party A wishes to communicate with party B, it 
sends to authentication server AS his own name, the 
name of party B and a transaction identifier. Server AS 
returns the name of party B, a session key. the transac- 
tion identifier and a message encrypted with B*s key. All 
that information is encrypted with A's key. Party A 
receives the information, decrypts it. selects the portion 
that is encrypted with B's key and forwards that portion 
to party B. Party B decrypts the received messages and 
find it the name of party A and the session key. A last 
check (to prevent "replays") is made by party B issuing 
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session key. A match found at party B authenticates the 
identity of party A. 

[0011] DE-A-3420874 discloses a method for control- 
ling access to telephone networks, in particular, radio- 
telephone networks, so as to prevent unauthorized 
subscribers from gaining access to the network. This is 
realized by transmitting control information each time a 
connection is attempted by a subscriber system. In 
addition to public subscriber identification, each sub- 
scriber system has secret subscriber identification that 
is known only to the network operator. When a connec- 
tion is established, the public subscriber identification is 
transmitted from the subscriber system to the network 
operator. Subsequently, the network operator transmits 
a code signal that changes with each attempted con- 
nection to the subscriber system. This code signal 
adjusts a coding algorithm that is known only to the net- 
work operator and the subscriber system, and the 
secret subscriber identification is encoded by means of 
this coding algorithm. The encoded secret subscriber 
identification is transmitted to the network operator, 
decoded with the same coding algorithm and checked 
with respect to its concurrence with its corresponding 
item in the public subscriber identification. The connec- 
tion is not established if these identifications do not con- 
cur. 

[0012] According to one aspect of this invention there 
is provided a method as claimed in claim 1 . 
[0013] According to another aspect of this invention 
there is provided a method as claimed in claim 2. 
[0014] The security needs of cellular telephony are 
met with an arrangement that depends on a shared 
secret data field. The mobile unit maintains a secret that 
is assigned to it by the service provider, and generates 
a shared secret data field from that secret. The service 
provider also generates the shared secret data field. 
When a mobile unit enters the cell of a base station, it 
identifies itself to the base station, and supplies to the 
base station a hashed authentication string. The base 
station consults with the provider, and if it is determined 
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that the mobile unit is a bona fide unit, the provider sup- 
plies the base station with the shared secret data field. 
Thereafter the mobile unit communicates with the base 
station with the assistance of authentication processes 

5 that are carried out between the mobile unit and the 
base station, using the shared secret data field. 
[001 5] One feature of this arrangement is that the var- 
ious base stations do not have access to the secret that 
was installed in the mobile unit by the provider. Only the 

w base stations which successfully interacted with the 
mobile unit have the shared secret data field; and that 
number can be limited by the provider simply by direct- 
ing the mobile unit to create a new shared secret data 
field. 

is [0016] Another feature of this arrangement is that the 
more time consuming authentication process that uti- 
lizes the secret, which takes place only through involve- 

lllClll VJI ll fC (Jiuvruci, VAfV»uto vmy iiiiic^ucmu;, *»■■•_•• u 

mobile unit first enters the cell (or when it is suspected 
20 that the shared secret data field has been compro- 
mised). 

[0017] Call originations, call terminations, and other 
functions are authenticated using essentially the same 
authentication protocol and the same hashing function. 
25 The few differences manifest themselves in the informa- 
tion that is hashed. 

Brief Description of the Drawing 

30 [0018] 

FIG. 1 illustrates an arrangement of network provid- 
ers and cellular radio providers interconnected for 
service to both stationary and mobile telephones 
35 and the like; 

FIG. 2 depicts the process for directing the creation 
of a shared secret data field and the verification of 
same; 

FIG. 3 depicts the registration process in a visited 

40 base station, for example, when the mobile unit first 
enters the cell serviced by the base station; 
FIG. 4 shows the elements that are concatenated 
and hashed to create the shared secret data; 
FIG. 5 shows the elements that are concatenated 

45 and hashed to create the verification sequence; 

FIG. 6 shows the elements that are concatenated 
and hashed to create the registration sequence 
when the mobile unit goes on the air; 
FIG. 7 shows the elements that are concatenated 

so and hashed to create the call initiation sequence; 

FIG. 8 depicts the speech encryption and decryp- 
tion process in a mobile unit; 
FIG. 9 shows the elements that are concatenated 
and hashed to create the re-authentication 

55 sequence; 

FIG. 10 illustrates the three stage process for 
encrypting and decrypting selected control and 
data messages; and 
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FIG. 1 1 presents a block diagram of a mobile unit's 
hardware. 

Detailed Description 

5 

[0019] In a mobile cellular telephone arrangement 
there are many mobile telephones, a much smaller 
number of cellular radio providers (with each provider 
having one or more base stations) and one or more 
switching network providers (common carriers). The io 
cellular radio providers and the common carriers com- 
bine to allow a cellular telephone subscriber to commu- 
nicate with both cellular and non-cellular telephone 
subscribers. This arrangement is depicted diagrammat- 
ically in FIG. 1 , where common carrier I and common is 
carrier II combine to form a switching network compris- 
ing switches 10-14. Stationary units 20 and 21 are con- 
nected to switch 10, mobile units 22 and 23 are free to 
roam, and base stations 30-40 are connected to 
switches 10-14. Base stations 30-34 belong to provider 20 
1 , base stations 35 and 36 belong to provider 2, base 
station 37 belongs to provider 4, and base stations 38- 
40 belong to provider 3. For purposes of this disclosure, 
a base station is synonymous with a cell wherein one or 
more transmitters are found. A collection of cells makes 25 
up a cellular geographic service area (CGSA) such as, 
for example, base stations 30, 31, and 32 in FIG. 1 . 
[0020] Each mobile unit has an electronic serial 
number (ESN) that is unique to that unit. The ESN 
number is installed in the unit by the manufacturer, at 30 
the time the unit is built (for example, in a read-only- 
memory), and it is unalterable, (t is accessible, however. 
[0021 ] When a customer desires to establish a service 
account for a mobile unit that the customer owns or 
leases, the service provider assigns to the customer a 35 
phone number (MIN 1 designation), an area code des- 
ignation (MIN2 designation) and a "secret" (A-key). The 
MIN 1 and MIN2 designations are associated with a 
given CGSA of the provider and all base stations in the 
FIG. 1 arrangement can identify the CGSA to which a 40 
particular MIN2 and MIN 1 pair belongs. The A-key is 
known only to the customer's equipment and to the pro- 
vider's CGSA processor (not explicitly shown in FIG. 1). 
The CGSA processor maintains the unit's ESN, A-key, 
MIN 1 and MIN2 designations and whatever other infor- 45 
mation the service provider may wish to have. 
[0022] With the MIN 1 and the Ml N2 designations and 
the A-key installed, the customer's unit is initialized for 
service when the CGSA processor sends to the mobile 
unit a special random sequence (RANDSSD), and a so 
directive to create a "shared secret data" (SSD) field. 
The CGSA sends the RANDSSD. and the SSD field 
generation directive, through the base station of the cell 
where the mobile unit is present. Creation of the SSD 
field follows the protocol described in FIG. 2. 55 
[0023] As an aside, in the FIG. 1 arrangement each 
base station broadcasts information to all units within its 
cell on some preassigned frequency channel (broad- 
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cast band). In addition, it maintains two way communi- 
cations with each mobile unit over a mutually agreed, 
(temporarily) dedicated, channel. The manner by which 
the base station and the mobile unit agree on the com- 
munications channel is unimportant to this invention, 
and hence it is not described in detail herein. One 
approach may be, for example, for the mobile unit to 
scan all channels and select an empty one. It would 
then send to the base station its MIN2 and MIN 1 desig- 
nations (either in plaintext form or enciphered with a 
public key), permitting the base station to initiate an 
authentication process. Once authenticated communi- 
cation is established, if necessary, the base station can 
direct the mobile station to switch to another channel. 
[0024] As described in greater detail hereinafter, in the 
course of establishing and maintaining a call on a 
mobile telephony system of this invention, an authenti- 
cation process may be carried out a number of times 
throughout the conversation. Therefore, the authentica- 
tion process employed should be relatively secure and 
simple to implement. To simplify the design and lower 
the implementation cost, both the mobile unit and the 
base station should use the same process. 
[0025] Many authentication processes use a hashing 
function, or a one-way function, to implement the proc- 
esses. A hashing function performs a many-to-one 
mapping which converts a "secret" to a signature. The 
following describes one hashing function that is simple, 
fast, effective, and flexible. It is quite suitable for the 
authentication processes of this invention but, of 
course, other hashing functions can be used. 

The Jumble Process 

[0026] The Jumble process can create a "signature" of 
a block of d "secret" data words b(i), with the aid of a k- 
word key x[j), where d, i, j, and k are integers. The "sig- 
nature" creation process is carried out on one data word 
at a time. For purposes of this description, the words on 
which the Jumble process operates are 8 bits long (pro- 
viding a range from 0 to 255, inclusive), but any other 
word size can be employed. The "secret" data block 
length is incorporated in the saw tooth function 

Sd(t) - 1 for 0^ ts. d- 1 

Sd(t) = 2d- 2- 1 for d< t<; 2d- 3, and 

Sd(t) = s d (t + 2d- 2) for all t. 

This function is used in the following process where, 
starting with z= 0 and i= 0, for successively increasing 
integer values of i in the range 0 <. 6d - 5, 

a) b(s d (i)) is updated by: 

b(s d (i))= b(s d (i)) + x(y + SBOX(z) mod 256 

where 

* i k is i modulo k, SBOX(z)= y+ [y/ 2048] mod 
256, 
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* y=(z©16)(z+ 111)(z), 

[y/ 2048] is the integer portion ol y divided by 
2048. and © represents the bit- wise Exdusive- 
OR function; and 

5 

b) z is updated with: z- z+ b(Sd(i)) mod 256. 

[0027] It may be appreciated that in the process just 
described there is no real distinction between the data 
and the key. Therefore, any string that is used for 10 
authentication can have a portion thereof used as a key 
for the above process. Conversely, the data words con- 
catenated with the key can be considered to be the 
"authentication string". It may also be noted that each 
word b(i), where 0$ i< d is hashed individually, one at a is 
time, which makes the hashing "in place". No additional 
buffers are needed for the hashing process per se. 
[0028] The process just described can be easiiy car- 
ried out with a very basic conventional processor, since 
the only operations required are: shifting (to perform the 20 
division by 2048), truncation (to perform the [ ] function 
and the mod 256 function), addition, multiplication, and 
bit-wise Exdusive-OR functions. 
[0029] Returning to the SSD field initialization process 
of FIG. 2, when a RANDSSD sequence and the direc- 25 
tive to create a new SSD field (arrow 100 in FIG. 2) are 
received by the mobile station, a new SSD field is gen- 
erated in accordance with FIG. 4. The mobile unit con- 
catenates the ESN designation, the A-key, and the 
RANDSSD sequence to form an authentication string. 30 
The authentication string is applied to Jumble block 101 
(described above) which outputs the SSD field. The 
SSD field comprises two sub-fields: the SSD-A subfield 
which is used to support authentication procedures, and 
the SSD-B subfield which is used to support voice pri- 35 
vacy procedures and encryption of some signaling mes- 
sages (described below). It may be noted that a larger 
number of SSD subfields can be created; either by sub- 
dividing the SSD field formed as described above or by 
first enlarging the SSD field. To increase the number of 40 
bits in the SSD field one needs only to start with a larger 
number of data bits. As will be appreciated from the dis- 
closure below, that is not a challenging requirement. 
[0030] The home CGSA processor knows the ESN 
and the A-key of the mobile unit to which the received 45 
MIN2 and MIN 1 designations were assigned. It also 
knows the RANDSSD sequence that it sent. Therefore, 
the home CGSA processor is in position to duplicate the 
SSD field creation process of the mobile unit. By con- 
catenating the RANDSSD signal with the ESN designa- so 
tion and the A-key, and with the above-described 
Jumble process, the CGSA processor creates a new 
SSD field and partitions it into SSD-A and SSD-B sub- 
fields. However, the SSD field created in the home 
CGSA processor must be verified. 55 
[0031] In accordance with FIG. 2, verification of the 
created SSD field is initiated by the mobile unit. The 
mobile unit generates a challenge random sequence 
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(RAN DBS sequence) in block 102 and sends it to the 
home CGSA processor through the serving base sta- 
tion (the base station that serves the area in which the 
mobile unit is located). In accordance with FIG. 5, the 
home CGSA processor concatenates the challenge 
RANDBS sequence, the ESN of the mobile unit the 
MINI designation of the mobile unit, and the newly cre- 
ated SSD-A to form an authentication string which is 
applied to the Jumble process. In this instance, the Jum- 
ble process creates a hashed authentication signal 
AUTHBS which is sent to the mobile station. The mobile 
station also combines the RANDBS sequence, its ESN 
designation, its MIN 1 designation and the newly cre- 
ated SSD-A to form an authentication string that is 
applied to the Jumble process. The mobile station com- 
pares the result of its Jumble process to the hashed 
authentication signal (AUTHBS) received from the 
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104) indicates a match, the mobile station sends a con- 
firmation message to the home CGSA processor indi- 
cating the success of the update in the SSD field. 
Otherwise, the mobile station reports on the failure of 
the match comparison. 

[0032] Having initialized the mobile station, the SSD 
field remains in force until the home CGSA processor 
directs the creation of a new SSD field. That can occur, 
for example, if there is reason to believe that the SSD 
field has been compromised. At such a time, the home 
CGSA processor sends another RANDSSD sequence 
to the mobile unit, and a directive to create a new SSD 
field. 

[0033] As mentioned above, in cellular telephony each 
base station broadcasts various informational signals 
for the benefit of all of the mobile units in its cell. In 
accordance with FIG. 1 management, one of the signals 
broadcast by the base station is a random or pseudor- 
andom sequence (RAND sequence). The RAND 
sequence is used by various authentication processes 
to randomize the signals that are created and sent by 
the mobile units. Of course, the RAND sequence must 
be changed periodically to prevent record/playback 
attacks. One approach for selecting the latency period 
of a RAND signal is to make it smaller than the expected 
duration of an average call. Consequently, a mobile unit, 
in general, is caused to use different RAND signals on 
successive calls. 

[0034] As soon as the mobile unit detects that it enters 
a cell it registers itself with the base unit so that it can be 
authenticated. Only when a mobile unit is authenticated 
can it initiate calls, or have the base station direct calls 
to it. 

[0035] When the mobile unit begins the registration 
process it accepts the RAND sequence broadcast by 
the base station and. in turn, it sends to the serving 
base station its MIN 1 and MIN2 designations and its 
ESN sequence (in plaintext) as well as a hashed 
authentication string. According to FIG. 6, the hashed 
authentication string is derived by concatenating the 
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RAND sequence, the ESN sequence, the MIN 1 desig- 
nation and the SSD-A subfield to form an authentication 
string; and applying the authentication string to the 
Jumble process. The hashed authentication string at 
the output of the Jumble process is sent to the serving 5 
base station together with the ESN sequence. 

[0036] In some embodiments, all or part of the RAND 
sequence used by the mobile unit is also sent to the 
serving base station (together with the ESN sequence 
and the MIN 1 and MIN2 designations), because the 10 
possibility exists that the RAND value has changed by 
the time the hashed authentication string reaches the 
base station. 

[0037] On the base station side, the serving base sta- 
tion Knows the RAND sequence (because the base sta- is 
tion created it) and it also knows the ESN and the MIN2 
and MIN 1 designations with which the mobile unit iden- 
tified itself. But. the serving base station does not know 
the SSD field of the mobile unit. What it does know is 
the identity of the mobile unit s home CGSA processor 20 
(from the MIN 1 and MIN2 designations). Consequently, 
it proceeds with the authentication process by sending 
to the mobile unit's home CGSA processor the MIN 1 
designation, the ESN sequence, the hashed authentica- 
tion string that the mobile unit created and transmitted, 25 
and the RAND sequence that the serving base station 
broadcast (and which the mobile unit incorporated in 
the created hashed authentication string). From the 
mobile unit's MIN 1 designation and ESN sequence the 
home CGSA processor knows the mobile unit's identity 30 
and, hence, the mobile unit's SSD-A subfield. Therefore 
it can proceed to create an authentication string just as 
the mobile unit did, and apply it to the Jumble process 
(FIG. 6). If the hashed authentication string created by 
the mobile unit's home CGSA processor matches the 35 
hashed authentication string created in the mobile unit 
and supplied by the serving base station, then verifica- 
tion is deemed successful. In such a case, the home 
CGSA processor supplies the serving base station with 
the unit's SSD field. As an aside, to keep the ESN des- 40 
ignation and the SSD field secure, the communication 
between the base stations and the CGSA processor is 
carried in encrypted form. 

[0038] In the above-described protocol, the mobile 
unit's CGSA processor attempts to verify the validity of 45 
the hashed authentication string. When the verification 
is unsuccessful, the CGSA processor informs the serv- 
ing base station that the mobile unit was not authenti- 
cated and may suggest that either the contact with the 
mobile unit be dropped or that the mobile unit be so 
directed to retry the registration process. To retry the 
registration process the home CGSA processor can 
either continue participation in the authentication proc- 
ess or it can delegate it to the serving base station. In 
the latter alternative, the serving base station informs ss 
the home CGSA processor of the ESN sequence and 
the MIN 1 designation of the mobile unit, and the CGSA 
processor responds with the SSD field of the mobile unit 



and the RANDSSD with which the SSD field was cre- 
ated. Authentication, in the sense of creating a hashed 
authentication string and comparing it to the hashed 
authentication string sent by the mobile unit, is then car- 
ried out by the serving base station. A retry directive can 
then be carried out without the home CGSA process by 
the serving station sending the RANDSSD to the mobile 
unit. This "registration" protocol is depicted in FIG. 3. 
[0039] Once the mobile unit has been "registered" at 
the serving base station (via the above-described proc- 
ess) the serving base station possesses the ESN and 
the SSD field of the mobile unit, and subsequent 
authentication processes in that cell can proceed in the 
serving base station without reference to the home 
CGSA processor — except one. Whenever, for any rea- 
son, it is desirable to alter the SSD field, communication 
is effectively between the home CGSA processor and 
the mobile unit; and the serving base station acts only 
as a conduit for this communication. That is because 
creation of a new SSD field requires an access to the 
secret A-key, and access to the A-key is not granted to 
anyone by the CGSA processor. Accordingly, when a 
new SSD field is to be created and the mobile unit is not 
in the area of the home CGSA, the following occurs: 

the home CGSA processor creates a RANDSSD 
sequence and alters the SSD field based on that 
RANDSSD sequence, 

the home CGSA processor supplies the serving 
base station with the RANDSSD sequence and the 
newly created SSD field, 

the serving base station directs the mobile unit to 

alter its SSD field and provides the mobile unit with 

the RANDSSD sequence, 

the mobile unit alters the SSD field and sends a 

challenge to the serving base station, 

the serving base station creates the AUTHBS string 

(described above) and sends it to the mobile unit, 

and 

the mobile unit verifies the AUTHBS string and 
informs the serving base station that both the 
mobile unit and the serving base station have the 
same SSD fields. 

[0040] Having been registered by the serving base 
station, the mobile unit can initiate calls with an authen- 
tication process as depicted in FIG. 7. The call initiation 
sequence concatenates signals RAND, ESN, SSD-A 
and at least some of the called party's identification 
(phone) number (MIN 3 in FIG. 7). The concatenated 
signals are applied to the Jumble process to develop a 
hashed authentication sequence that can be verified by 
the serving base station. Of course, to permit verifica- 
tion at the serving base station, the called party's iden- 
tification number must also be transmitted in a manner 
that can be received by the base station (and, as before, 
perhaps a portion of the RAND signal), i.e., in plaintext. 
Once the authentication sequence is verified, the base 
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station can process the call and make the connection to 
the called party. 

[0041] The protocol for connecting to a mobile unit 
when it is a "called party" follows the registration proto- 
col of FIG. 6. That is, the serving base station requests 5 
the called mobile station to send an authentication 
sequence created from the RAND sequence. ESN des- 
ignation, MIN 1 designation and SSD-A subfield. When 
authentication occurs, a path is set up between the 
base station and the called party mobile unit, for the lat- 10 
ter to receive data originating from, and send data to. 
the mobile unit (or stationary unit) that originated the 
call. 

[0042] It should be noted that all of the authentications 
described above are effective only (in the sense of is 
being verified) with respect to the authenticated pack- 
ets, or strings, themselves. To enhance security at other 
times, three different additional security measures can 
be employed. They are speech encryption, occasional 
re-authentication, and control message encryption. 20 

Speech Encryption 

[0043] The speech signal is encrypted by first convert- 
ing it to digital form. This can be accomplished in any 25 
number of conventional ways, with or without compres- 
sion, and with or without error correction codes. The bits 
of the digital signals are divided into successive groups 
of K bits and each of the groups is encrypted. More spe- 
cifically, in both the mobile unit and the base station the 30 
RAND sequence, the ESN and MIN 1 designations, and 
the SSD-B subfield are concatenated and applied to the 
Jumble process. The Jumble process produces 2K bits 
and those bits are divided into groups A and B of K bits 
each. In the mobile unit group A is used for encrypting 35 
outgoing speech, and group B is used for decrypting 
incoming speech. Conversely in the base station, group 
A is used for decrypting incoming speech and group B 
is used for encrypting outgoing speech. FIG. 8 depicts 
the speech encryption and decryption process. to 

Re-authentication 

[0044] At the base station's pleasure, a re-authentica- 
tion process is initiated to confirm that the mobile unit 45 
which the base station believes is active, is. in fact, the 
mobile unit that was authorized to be active. This is 
accomplished by the base station requesting the mobile 
unit to send a hashed authentication sequence in 
accordance with FIG. 9. With each such request, the so 
base station sends a special (RANDU) sequence. The 
mobile unit creates the hashed authentication sequence 
by concatenating the RANDU sequence, the area code 
MIN2 designation of the mobile unit, the ESN designa- 
tion, the MIN 1 designation and the SSD-A designation. 55 
The concatenated string is applied to the Jumble proc- 
ess, and the resulting hashed authentication string is 
sent to the base station. The base station, at this point, 
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is in a position to verify that the hashed authentication 
string is valid. 

Control Message Cryptosystem 

[0045] The third security measure deals with ensuring 
the privacy of control messages. In the course of an 
established call, various circumstances may arise that 
call for the transmission of control messages. In some 
situations, the control messages can significantly and 
adversely affect either the mobile station that originated 
the call or the base station. For that reason, it is desira- 
ble to encipher (reasonably welt) some types of control 
messages sent while the conversation is in progress. 
Alternately, selected fields of chosen message types 
may be encrypted. This includes "data" control mes- 
sages such as credit card numbers, and call redefining 
control messages. TTris is aCCuiupiisneu witu the Con- 
trol Message Cryptosystem. 

[0046] The Control Message Cryptosystem (CMC) is 
a symmetric key cryptosystem that has the following 
properties: 

1) it is relatively secure, 

2) it runs efficiently on an eight-bit computer, and 

3) it is self-inverting. 

[0047] The cryptographic key for CMC is an array. 
TBOX[z], of 256 bytes which is derived from a "secret" 
(e.g., SSD-B subfield) as follows: 

1 . for each z in the range 0<, z< 256, set TBOX[z]= 
z, and 

2. apply the array TBOX[z] and the secret (SSD-B) 
to the Jumble process. 

This is essentially what is depicted in elements 301 , 302 
and 303 in FIG. 8 (except that the number of bits in FIG. 
8 is 2K rather than 256 bytes). 
[0048] Once the key is derived. CMC can be used to 
encrypt and decrypt control messages. Alternately, the 
key can be derived "on the fly" each time the key is 
used. CMC has the capability to encipher variable 
length messages of two or more bytes. CMC's operation 
is self-inverting, or reciprocal. That is. precisely the 
same operations are applied to the ciphertext to yield 
plaintext as are applied to plaintext to yield ciphertext. 
Thus, a two-fold application of the CMC operations 
would leave the data unchanged. 
[0049] In the description that follows it is assumed that 
for the encryption process (and the decryption process) 
the plaintext (or the riphertext) resides in a data buffer 
and that CMC operates on the contents of that data 
buffer such that the final contents of the data buffer con- 
stitute the ciphertext (or plaintext). That means that ele- 
ments 502 and 504 in FIG. 1 0 can be one and the same 
register. 

[0050] CMC is comprised of three successive stages, 
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The three stage process employed to encrypt and 
decrypt selected control and data messages is illus- 
trated in FIG. 10. In one preferred embodiment the first 
stage and the third stage are an autokey encryption and 
decryption, respectively. An autokey system is a time- 
varying system where the output of the system is used 
to affect the subsequent output of the system. For fur- 
ther reference regarding cryptography and autokey sys- 
tems, see W. Diffie and M.E. Hellman, Privacy and 
Authentication: An Introduction to Cryptography. Proc. 
of the I.E.E.E., Vol. 67, No. 3, March 1979. 

Mobile Unit Apparatus 

[0051] FIG. 1 1 presents a block diagram of a mobile 
unit hardware. It comprises a control block 200 which 
includes (though not illustrated) the key pad of a cellular 
telephone, the hand set and the unit's power control 
switch. Control block 200 is connected to processor 210 
which controls the workings of the mobile unit, such as 
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15 



each of which alters each byte string in the data buffer. 
When the data buffer is d bytes long and each byte is 
designated by b(i), for i in the range 0< i< d: 

I. The first stage of CMC is as follows: 

1 . Initialize a variable z to zero, 

2. For successive integer values of i in the 
range 0< i< d 

a. form a variable q by: q= z© low order 
byte of i, where © is the bitwise boolean 
Exclusive-OR operator, 

b. form variable k by: k = TBOX[oJ, 

c. update b(i) with: b(i)= b(i)+ k mod 256, 
and 

d. update z with: z= b(i)+ z mod 256. 
M. The second stage of CMC is: 

1 . for all values of i in the range 0<, i< (d- 1)/ 2: 

b(i)= b(i)©(b(d- 1- i) OR 1), where OR is 
the bitwise boolean OR operator. 

III. CMC's final stage is the decryption that is 
inverse of the first stage: 



1 . Initialize a variable z to zero, 

2. For successive integer values of i in the 30 
range 0< i< d 



a. form a variable q by: q = z© low order 
byte of i, 

b. form variable k by: k = TBOXfoJ, 

c. update z with: z= b(i)+ z mod 256, 

d. update b(i) with: b{i)= b(i)- k mod 256. 
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converting speech signals to digital representation, 
incorporating error correction codes, encrypting the out- 
going digital speech signals, decrypting incoming 
speech signals, forming and encrypting (as well as 
decrypting) various control messages, etc. Block 210 is 
coupled to block 220 which comprises the bulk of the 
circuitry associated with transmission and reception of 
signals. Blocks 200-220 are basically conventional 
blocks, performing the functions that are currently per- 
formed by commercial mobile telephone units (though 
the commercial units do not carry out encrypting and 
decrypting). To incorporate the authentication and 
encryption processes disclosed herein, the apparatus 
of FIG. 1 1 also includes a block 240 which comprises a 
number of registers coupled to processor 210, and a 
"personality" module 230 that is also coupled to proces- 
sor 210. Module 230 may be part of the physical struc- 
ture of a mobile telephone unit, or it may be a removable 
(and pluggable) module that is coupled to the mobile tel- 
ephone unit through a socket interface. It may also be 
coupled to processor 21 Q through an electromagnetic 
path, or connection. In short, module 230 may be, for 
example, a "smart card". 

[0052] Module 230 comprises a Jumble processor 
231 and a number of registers associated with proces- 
sor 231, Alternately, in another preferred embodiment, 
only the A-Key is in the module 230. A number of advan- 
tages accrue from installing (and maintaining) the A- 
key, and the MIN 1 and MIN2 designations in the regis- 
ters of module 230, rather than in the registers of block 
240. It is also advantageous to store the developed SSD 
field in the registers of module 230. It is further advanta- 
geous include among the registers of module 230 any 
needed working registers for carrying out the processes 
of processor 231. By including these elements in mod- 
ule 230, the user may carry the module on his person to 
use it with different mobile units (e.g. "extension" mobile 
units) and have none of the sensitive information be 
stored outside the module. Of course, mobile units may 
be produced with module 230 being an integral and per- 
manent part of the unit. In such embodiments, Jumble 
processor 231 may be merged within processor 210. 
Block 240 stores the units ESN designation and the 
various RAND sequences that are received. 
[0053] Although the above disclosure is couched in 
terms of subscriber authentication in a cellular teleph- 
ony environment, and that includes personal communi- 
cation networks which will serve portable wallet sized 
handsets, it is clear that the principles of this invention 
have applicability in other environments where the com- 
munication is perceived to be not sufficiently secure and 
where impersonation is a potential problem. This 
includes computer networks, for example. 
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1 . A method for authenticating a mobile station (22) for 
use in an arrangement including a home station 
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(14), a base station (40) and said mobile station 
(22), wherein the mobile station (22) sharing with 
the home station (14) a key code that is not known 
to the base station (40) while refraining from divulg- 
ing the key code to the base station (40); the 
method comprising the steps of: 

the base station (40) receiving from the mobile 
station (22) the identity of the mobile station 
(22) and an authentication signal constructed 
with the aid of a "shared-secret -datum" signal 
derived at the mobile station (22) from the said 
key code via a transformation of the key code 
and additional data; 

the base station (40) transmitting to the home 
station (14) the identity of the mobile station; 



and 



eoiciL/iioi iii iy 
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when an evaluation of the authentication signal 
determines that the authentication signal sent 
by the mobile station (22) is valid, said evalua- 
tion is performed with the aid of a "shared- 
secret-datum" signal derived at the home sta- 
tion (14) from said key code via a transforma- 
tion of the key code and additional data. 

2. A method for authenticating a mobile station (22) for 
use in an arrangement including a home station 
(14), a base station (40) and said mobile station 
(22), wherein the mobile station (22) transmits to 
the base station (40) the identity of the mobile sta- 
tion (22) and constructs an authentication signal 
constructed with the aid of a "shared-secret-datum" 
signal derived at the mobile station (22) from a key 
code via a transformation of the key code and addi- 
tional data, the method comprising the steps of: 

the home station (14) sharing with the mobile 
station (14) the key code that is not known to 
the base station (40) while refraining from 
divulging the key code to the base station (40); 
the home station (14) receiving the identity of 
the mobile station (22) from the base station 
(40); and 

the home station deriving a "shared secret 
datum" signal from the key code via a transfor- 
mation of the key code and additional data for 
establishing a call between the base station 
(40) and the mobile station (22) when an evalu- 
ation (40) of the authentication signal deter- 
mines that the authentication signal sent by the 
mobile station (22) is valid, said evaluation is 
performed with the aid of the "shared-secret- 
datum" signal derived at the home station (14) 
from said key code via a transformation of the 
key code and additional data. 

3. A method as claimed in claim 1 or 2 wherein the 



authentication signal constructed with the aid of a 
"shared-secret-datum" signal derived from said key 
code is a hashed string of elements. 

5 4. A method as claimed in claim 3 comprising the 
home station (14) verifying the identity of the mobile 
station (22). based on the received identity of the 
mobile station (22) and the received hashed string. 

w 5. A method as claimed in claim 3 comprising: 



a registration protocol for providing the base 
station (40) with the "shared-secret -datum" sig- 
nal; wherein 

the home station (14) sends to the base station 
(40) the "shared-secret-datum" signal; and 
the base station (40) verifies the identity of the 
m£Kija station (22). based o n the identity indi- 
cation received from the mobile station (22) 
and the "shared-secret-datum" signal received 
from the home station (40). 
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7. 



8. 



A method as claimed in claim 3 comprising the step 
of the home station (14) sending to the base station 
(40) seed information that permits the mobile sta- 
tion (22) to regenerate its copy of the "shared- 
secreVdatum". 

A method as claimed in claim 3 comprising the 
steps of: 

the base station (40) sending to the mobile sta- 
tion (22) a string of bits and a directive to 
regenerate its copy of the "shared-secret- 
datum'' signal; and 

the mobile station (22) regenerating its copy of 
the "shared-secret -datum" signal with the aid of 
the string of bits to form a regenerated "shared - 
secret-datum" signal. 

A method as claimed in claim 7 comprising the 
steps of: 

the mobile station (22) creating a challenge 
string, and sending the challenge string to the 
base station (40); 

the base station (40) sending a response to the 
mobile station (22); and 
the mobile station (22) comparing the response 
to that of an expected response. 



9. A method as claimed in claim 7 comprising the step 
of sending to the base station (40) an indication of 
the result of the step of comparing. 

10. A method as claimed in claim 7 comprising the 
steps of: 
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the mobile station (22) creating a hashed string 
that is related to the regenerated "shared- 
secret-datum" signal; and 

sending the hashed string to the base station 
(40). 
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(57) A secure cellular telephony arrangement 
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secret datum is generated by the home CGSA with the 
aid of the secret and some other data. That data is 
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ate the shared secret datum. A mobile unit wishing to 
communicate with a base station creates an authentica- 
tion string with the aid of the shared secret datum and 
sends it and the unit's identity to the base station. A 
base station which does not have the shared secret 
datum is unable to immediately authenticate the mobile 
unit. It therefore contacts the home CGSA, receives the 
shared secret datum and the other data, and proceeds 
to authenticate the mobile unit's authentication string. 
With the information received from the home CGSA the 
base station can direct the mobile unit to regenerate the 
shared secret datum or even create a new one. 



Q. 
LU 



Printed by Xerox (UK) Business Services 
2,16 7/3.6 



BNSDOC1D: <EP 0903887A3„L> 



EP 0 903 887 A3 




European Patent 
Office 



EUROPEAN SEARCH REPORT 



Application Number 

EP 98 12 41B1 



DOCUMENTS CONSIDERED TO BE RELEVANT 



Category 



Citation of document with indication, where appropriate, 
of relevant passages 



Relevant 
to claim 



classification of the 

APPLICATION (Int.CLS) 



DE 34 20 874 A (LICENTIA) 5 December 1985 

* page 6, line 1 - page 7, line 16; claim 
1 * 

CA 2 051 385 A (ERICSSON) 
10 September 1991 

* page 1, paragraph 1 * 

* page 3, line 30 - page 5, line 6 * 

MASM0UDI M ET AL: "LES LIGNES PRIVEES 
VIRTUELLES" 

TECHNIQUE ET SCIENCE INFORMATIONS, 
vol. 10 f no. 2, 1 January 1991, pages 
85-96, XP000297685 

* page 92, right-hand column, line 9 - 
1 1ne 40 * 



1,2 



H04L9/32 
H04Q7/38 



1,2,8 



The present search report has been drawn up for aJI claims 



TECHNICAL FIELDS 
SEARCHED <lnt.CI.6) 



H04L 
H04Q 



8 
| 

a 

s 



Plact of starch 



THE HAGUE 



Da!* o* completion ol th« awch 

16 April 1999 



Hoi per, G 



CATEGORY OF CITED DOCUMENTS 

X ; particularly relevant if taken alone 

Y : particularly relevant tf combined with another 

document of the same category 
A : technological background 
O : non-written diedoeure 
P : Intermediate document 



T : theory or prtncple underlying the invention 
E : earlier patent document, but publtahed on. or 

after the ruing date 
D : document crtod in the application 
L : document cited for other reasons 



a ; member of the same patent family, corresponding 
document 



2 



BNSDOCID: <EP 0903B87A3J,> 



* 



EP 0 903 887 A3 



ANNEX TO THE EUROPEAN SEARCH REPORT 
ON EUROPEAN PATENT APPLICATION NO. 



EP 98 12 4151 



This annex lists the patent famity members relating to the patent documents cited in the above-mentioned European search report. 
The members are as contained in the European Patent Office EOP file on 

The European Patent Office is in no way liable for these particulars which are merely given (or the purpose of information. 

16-04-1999 



Patent document 


Publication 




Patent family 






cited in search report 


date 




meniber(s) 




date 


OE 3420874 A 


05-12-1985 


NONE 








CA 2051385 A 


10-09-1991 


SE 


465800 


B 


28-10-1991 


AT 


121254 


T 


15-04-1995 




AU 


63hm20 


R 






All 


7495291 


A 


10-10-1991 




CN 


1054868 


A,B 


25-09-1991 




DE 


69108762 


D 


18-05-1995 




DE 


69108762 


T 


24-08-1995 




DK 


447380 


T 


24-07-1995 




EP 


0447380 


A 


18-09-1991 


* * 


FI 


2073726 


T 


16-08-1995 




102134 


B 


15-10-1998 




HK 


101895 


A 


30-06-1995 




IE 


67887 


B 


01-05-1996 




JP 


4505693 


T 


01-10-1992 




KR 


144560 


B 


17-08-1998 




NO 


300249 


B 


28-04-1997 




PT 


96979 


A.B 


30-04-1993 




SE 


9000856 


A 


10-09-1991 




WO 


9114348 


A 


19-09-1991 


/ 


US 


5390245 


A 


14-02-1995 




US 


5282250 


A 


25-01-1994 




US 


5559886 


A 


24-09-1996 



§ For more details about this annex : see Official Journal of the European Patent Office, No. 12/82 



BNSDOCtD: <EP 0903887A3J^> 



u HiS PAGE BLANK (WTO) 



